CDFA hack exposes usernames and passwords

California’s food safety and agriculture watchdog recently started contacting individuals who may have been impacted by the security incident.
According to a data breach notice, the CDFA detected a security incident on March 4th that affected an external site – Plant Health and Pest Prevention Services.

The CDFA’s letter said that “a breach on the website led to the exposure of information to external users.”
The breach exposed personally identifiable information (PII) such as names and last names, addresses, phone numbers, and email addresses, as well as the site’s users’ usernames and passwords.
The CDFA suggested “changing password(s) as username and password were implicated to prevent unauthorized access”.
Another California-based organization, the Los Angeles Department of Mental Health (DMH), was breached earlier this week, with attackers employing a push notification spam attack.
Attackers first breached the City of Gardena Police Department (GPD) and used email exchanges between GPD and DMH to contact an employee of the latter and access their email account.

Source – https://cybernews.com/news/california-department-food-agriculture-breach/

Active exploitation underway 

In November 2023, Anyscale disclosed five Ray vulnerabilities, fixing four tracked as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023.
However, the fifth bug, a critical remote code execution flaw tracked as CVE-2023-48022, was not fixed because, according to them, its lack of authentication was a long-standing design decision.
Specifically, Anyscale stated that the flaw is exploitable only in deployments that violated the recommendations in the projects documentation to limit Ray’s use in a strictly controlled network environment.
Furthermore, Anyscale does not believe these flaws are vulnerabilities but instead bugs, as their platform is designed to execute code as a distributed execution framework.
Regardless of how the flaw is classified, its lack of authentication has created an opportunity for hackers who have been exploiting the CVE-2023-48022 bug in unsecured environments.
Oligo discovered that hundreds of publicly exposed Ray servers were compromised via CVE-2023-48022, allowing attackers to access sensitive information, including AI models, environment variables, production database credentials, and cloud environment access tokens.
In some observed cases, the attackers used their access to powerful graphics cards in machine learning training to conduct cryptocurrency (Monero) mining operations.
Others utilize reverse shells to gain persistence in compromised environments, executing arbitrary code through Python pseudo-terminals.
The researchers also investigated base64 encoded payloads, revealing attempts to escalate privileges on compromised machines using open-source scripts that are not detected by any AV engines on VirusTotal.

Source – https://www.bleepingcomputer.com/news/security/hackers-exploit-ray-framework-flaw-to-breach-servers-hijack-resources/

Los Angeles Department of Mental Health hacked

The City of Gardena Police Department (GPD) was initially hit by a cyberattack in which threat actors accessed an employee’s GPD Microsoft Office 365 account via a multi-factor authentication attack or push notification attack on January 22nd, 2024.
The email exchanges between the GPD and the Department of Mental Health (DMH) allowed the threat actor(s) to contact a DMH employee via email and access that employee’s Microsoft Office 365 account.
Malicious actors employ push notification attacks (push fatigue attacks or MFA-prompt bombing) to bypass multi-factor authentication and breach accounts. The attackers often already possess valid usernames and passwords as they spam the victim with notifications to authenticate until the target tires and finally accepts it.
The personal information involved includes:
-Names
-Dates of birth
-Social Security numbers
-Addresses
-Telephone numbers
-Medical record numbers
Despite the vast amount of personal information involved, the DMH claims that there’s no evidence the information has been exploited.
Once the DMH became aware of the attack, the organization claimed to disable the affected accounts promptly while resetting “the Microsoft Office 365 and multi-factor authentication credentials,” the breach notification reads.
The investigation into the breach concluded on March 19th, 2024, once forensic specialists and law enforcement had been informed.

The DMH advises affected individuals “to examine their financial and account statements thoroughly and promptly report any dubious activities to the institution responsible for issuing the record”.

Source – https://cybernews.com/news/los-angeles-department-of-mental-health-hacked/

New “GoFetch” Vulnerability in Apple M-Series Chips Leaks Secret Encryption Keys

A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations.
Dubbed GoFetch, the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Apple was made aware of the findings in December 2023.
Prefetchers are a hardware optimization technique that predicts what memory addresses a currently running program will access in the near future and retrieve the data into the cache accordingly from the main memory. The goal of this approach is to reduce the program’s memory access latency.
DMP is a type of prefetcher that takes into account the contents of memory based on previously observed access patterns when determining what to prefetch. This behavior makes it ripe for cache-based attacks that trick the prefetcher into revealing the contents associated with a victim process that should be otherwise inaccessible.
GoFetch also builds on the foundations of another microarchitectural attack called Augury that employs DMP to leak data speculatively.

Like other attacks of this kind, the setup requires that the victim and attacker have two different processes co-located on the same machine and on the same CPU cluster. Specifically, the threat actor could lure a target into downloading a malicious app that exploits GoFetch.
What’s more, while the attacker and the victim do not share memory, the attacker can monitor any microarchitectural side channels available to it, e.g., cache latency.
GoFetch, in a nutshell, demonstrates that “even if a victim correctly separates data from addresses by following the constant-time paradigm, the DMP will generate secret-dependent memory access on the victim’s behalf,” rendering it susceptible to key-extraction attacks.
The fundamental nature of the flaw means that it cannot be fixed in existing Apple CPUs, requiring that developers of cryptographic libraries take steps to prevent conditions that allow GoFetch to succeed, something that could also introduce a performance hit. Users, on the other hand, are urged to keep their systems up-to-date.
On Apple M3 chips, however, enabling data-independent timing (DIT) has been found to disable DMP. This is not possible on M1 and M2 processors.
“In its documentation, Apple explains that Apple silicon offers data-independent timing (DIT), ensuring that the processor executes specific instructions consistently within a fixed duration. When DIT is activated, the processor operates based on the longest potential time required to complete the instruction, irrespective of the input data.”
The iPhone maker also emphasized that although turning on DIT prevents timing-based leakage, developers are recommended to adhere to “avoid conditional branches and memory access locations based on the value of the secret data” in order to effectively block an adversary from inferring secret by keeping tabs on the processor’s microarchitectural state.
The development comes as another group of researchers from the Graz University of Technology in Austria and the University of Rennes in France demonstrated a new graphics processing unit (GPU) attack affecting popular browsers and graphics cards that leverages specially crafted JavaScript code in a website to infer sensitive information such as passwords.
The technique, which requires no user interaction, has been described as the first GPU cache side-channel attack from within the browser.
A threat actor could weaponize it by means of a drive-by attack, allowing for the extraction of AES keys or mining cryptocurrencies as users browse the internet. It impacts all operating systems and browsers implementing the WebGPU standard, as well as a broad range of GPU devices.
As countermeasures, the researchers propose treating access to the host system’s graphics card via the browser as a sensitive resource, requiring websites to seek users permission (like in the case of camera or microphone) before use.

Source – https://thehackernews.com/2024/03/new-gofetch-vulnerability-in-apple-m.html

CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting the Microsoft Sharepoint Server to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2023-24955 (CVSS score: 7.2), is a critical remote code execution flaw that allows an authenticated attacker with Site Owner privileges to execute arbitrary code.
“In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server,” Microsoft said in an advisory. The flaw was addressed by Microsoft as part of its Patch Tuesday updates for May 2023.
The development comes more than two months after CISA added CVE-2023-29357, a privilege escalation flaw in SharePoint Server, to its KEV catalog.
It’s worth pointing out that an exploit chain combining CVE-2023-29357 and CVE-2023-24955 was demonstrated by StarLabs SG at the Pwn2Own Vancouver hacking contest last year, earning the researchers a $100,000 prize.
That said, there is currently no information on the attacks weaponizing these two vulnerabilities and the threat actors that may be exploiting them.
Microsoft previously told The Hacker News that “customers who have enabled automatic updates and enable ‘Receive updates for other Microsoft products’ option within their Windows Update settings are already protected.”
Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by April 16, 2024, to secure their networks against active threats.

Source – https://thehackernews.com/2024/03/cisa-warns-hackers-actively-attacking.html

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

The INC Ransom extortion gang is threatening to publish three terabytes of data allegedly stolen after breaching the National Health Service (NHS) of Scotland.
In a post yesterday, the cybercriminals shared multiple images containing medical details and said that they would leak data “soon,” unless the NHS pays a ransom.
Scotland’s NHS is the country’s public health system, providing services ranging from primary care, hospital care, dental care, pharmaceutical, and long-term care.
INC Ransom is a data extortion operation that emerged in July 2023 and targets organizations in both the public and the private sector. Among the victims are education, healthcare, and government organizations, and industrial entites like Yamaha Motor.
Reports about a cybersecurity incident disrupting NHS Scotland services appeared on March 15, likely when the attack occurred.
In yesterday’s post, the threat actor published several sample documents with sensitive information about doctors and patients, including medical assessments, analysis results, and psychological reports.
A spokesperson for the Scottish Government told BleepingComputer that the cyberattack impacts only NHS Dumfries and Galloway, one of the regional health boards that make up NHS Scotland.
The spokesperson added that the government is working with multiple entities, including the health board, Police Scotland and other agencies (e.g. National Crime Agency, National Cyber Security Centre) to determine the impact of the breach “and the possible implications for individuals concerned.”
Meanwhile, NHS Dumfries and Galloway has confirmed today that a ransomware group leaked clinical data relating to a small number of patients.
The organization states that this was the result of the cyberattack that occurred two weeks ago, which compromised its IT systems and resulted in the unauthorized access of “a significant amount of data including patient and staff-identifiable information.”

Source – https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/

Apple users face barrage of MFA bombing attacks

During these elaborate phishing attacks, Apple devices are forced to display multiple system-level prompts that prevent the devices from being used until the user responds “Allow” or “Don’t Allow” to each prompt. These are mostly password reset requests.
This kind of “bombing” creates an impression that the device or the user’s account is under attack. The scammers then call the victim – spoofing Apple support in the caller ID – and tell them that they need to “verify” a one-time code.

Creating a false sense of trust
A similar phishing campaign was described last week on X by Parth Patel, an entrepreneur who called it a “push bombing” or “MFA fatigue” attack.

Source – https://cybernews.com/news/apple-devices-mfa-bombing-attacks/

Facebook may have exploited user devices to spy on competitors, documents show

Facebook was caught using a cyberattack method, “SSL man-in-the-middle,” to intercept and decrypt Snapchat, YouTube, and Amazon encrypted analytics traffic.

Codenamed “Ghostbusters,” the project aimed at intercepting rivals’ encrypted app traffic for analytics despite some internal dissent. This practice is likely in violation of wiretapping laws and “potentially criminal,” advertisers suing Meta claim.
Facebook developed custom technology, so-called “kits,” on both Android and iOS devices that impersonated official servers and decrypted traffic Facebook wasn’t authorized to access. The data allowed Facebook to plan competitive moves against Snapchat and other companies.

According to Meta’s assertion, “Snapchat’s designated witness regarding advertising under Rule 30(b)(6) acknowledged that Snap couldn’t pinpoint any specific advertisement sales it missed out on due to Meta’s utilization of user research tools. Furthermore, the witness admitted to being unaware of whether other competitors gathered comparable data or if Meta’s research activities conferred any competitive edge upon Meta.”

Smarttech247